REMARKS 

Claims 1-6, 8-15, and 17-22 are pending and stand rejected. In response, claims 1, 5, 6, 
14 and 15 are amended, claims 12, 13, 21 and 22 are canceled, and claims 23-26 are added. 
Claims 1-6, 8-11, 14-15, 17-20, and 23-26 are pending upon entry of this amendment. Support 
for the new claims is found throughout the specification. For example, support for claim 23 is 
found at page 11, lines 11-17. Support for claim 24 is found at page 10, lines 9-12. Support for 
claim 25 is found at page 13, lines 12-16. Support for claim 26 is found at page 15, lines 1-5. 

35 U.S.C. $ 101 Rejections 

Claims 5, 6, 8-15 and 17-22 stand rejected under 35 U.S.C. § 101 because the claimed 
invention is allegedly directed to non-statutory subject matter. Specifically, the Examiner states 
that "the claimed subject matter provides for a final step of adjusting authorized database access 
by changing settings" and "this produced result is not made tangible to a user, and thus remains 
in the abstract and fails to achieve the required status of having real world value." 

Applicants respectfully traverse this rejection as applied to the amended claims. 
Independent claim 5 recites a computer-implemented method and independent claim 14 recites a 
computer-readable medium. The claims thus fall within the enumerated categories of patentable 
subject matter recited in § 101 . 

Once it is established that the claims fall within enumerated categories of patentable 
subject matter, the next step of the § 101 analysis is to determine whether the claims are directed 
to a practical application of an abstract idea. As stated in the MPEP, a claimed invention is 
directed to a practical application of an abstract idea when it transforms an article or physical 
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object to a different state or thing or otherwise produces a useful, concrete and tangible result. 
MPEP2106IV. C. 2. 

Here, the amended claims both transform a physical object and produce a useful, concrete 
and tangible result. Claim 5 recites the step of: 

adjusting authorized database accesses taking into account results of the 

comparing step by changing settings within a database access control 
module of a computer-implemented database server to deny future 
database access to operations by certain users on database tables and 
columns that were previously authorized but were not observed during the 
observing step. 

Similarly, independent claim 14 recites computer program instructions for: 

adjusting authorized database accesses taking into account results of the 

comparing step by changing settings within a database access control 
module of a computer-implemented database server to deny future 
database access to operations by certain users on database tables and 
columns that were previously authorized but were not observed during the 
observing step. 

The database access control module of the computer-implemented database server is a physical 
object that is transformed to a different state when its settings are changed. Changing the 
settings of the database access control module also constitutes a tangible result because it affects 
a real-world object. The claimed result is similar to that recognized as tangible by the United 
States Court of Appeals for the Federal Circuit in the State Street decision. In that case, the court 
stated that 

the transformation of data, representing discrete dollar amounts, by a machine 
through a series of mathematical calculations into a final share price, constitutes a 
practical application of a mathematical algorithm, formula, or calculation, because 
it produces a "useful, concrete and tangible result" - a final share price 
momentarily fixed for recording and reporting purposes and even accepted 
and relied upon by regulatory authorities and in subsequent trades. 

State Street v. Signature , 149 F.3d 1368, 1373 (Fed. Cir. 1998) (emphasis added). Here, similar 
to State Street , the final result is a tangible changing of settings in a database access control 
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module that is used for recording, reporting, and other purposes. Both independent claims are 
therefore statutory under § 101. 

Claims 6 and 15 respectively depend from claims 5 and 14 and recite "generating and 
storing at least one report based upon observing actual accesses to the database." This report 
constitutes a useful, tangible, and concrete result. 

For these reason, Applicants traverse the § 101 rejection. If the Examiner maintains this 
rejection, Applicants respectfully request that the Examiner provide a legal justification for the 
rejection with citations to appropriate case law so that Applicants can more fully address the 
Examiner's concerns. 

35 U.S.C. § 103 Rejections 

Claims 1-3, 5, 8, 9, 1 1-12, 14, 17, 18, and 20-21 stand rejected under 35 U.S.C. § 103(a) 
as being unpatentable over Mattsson (2003/0101355) in view of Ludwig et al. (2003/0167229). 
Claims 4, 10, and 19 stand rejected under § 103(a) as being unpatentable over Mattsson in view 
of Ludwig and further in view of Low et al. ("DIDAFIT: Detecting Intrusions in Databases 
through Fingerprinting Transactions"). Claims 6, 7, and 15 stand rejected under § 103(a) as 
being unpatentable over Mattsson in view of Ludwig and further in view of Vaitzblit 
(2005/0097149). This discussion combines these rejections in order to simplify the issues. 

The independent claims are amended to recite limitations related to observing a 

preselected quantity of database accesses. For example, amended claim 1 recites: 

coupled to the database, a command monitoring module configured to monitor 
actual accesses to the database until a preselected quantity of actual 
accesses have been observed; 

Similarly, amended claims 5 and 14 recite: 
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observing actual accesses to the database until a preselected quantity of 
actual accesses have been observed; 

This limitation was previously recited by claims 13 and 22 and is described in the specification 

at, e.g., page 11, lines 9-11. 

In the rejections of claims 13 and 22, the Examiner asserted that the limitation related to 

observing a preselected quantity of actual accesses is shown by Mattsson at paragraphs 33 and 

50. However, a close inspection of Mattsson demonstrates that it does not teach or suggest the 

claimed limitation. Paragraph 30 states, in total: 

[0033] A second component 13 of the intrusion detection module 10 is adapted to 
store all results from queries including marked items, thereby creating a record 14 
of accumulated access of marked items. If advantageous, the record can be kept in 
a separate log file 15, for long term storage, accumulating data access over a 
longer period of time. 

Thus, paragraph 30 merely discloses that a log file of accumulated data access over a long period 

of time can be maintained. Paragraph 50 is similarly directed to log files: 

[0050] The query result can also be stored in the log file 15 by the intrusion 
detection module, as described above. The log file 15, which thus contains 
accumulated query results from a defined time period, can also be compared to 
the inference patterns 22 in the security profiles 20 of users, roles or servers, this 
time in a "after the event" type analysis. 

Accordingly, neither paragraph identified by the Examiner relates to observing accesses until a 

preselected quantity of accesses have been observed. Rather, the paragraphs simply describe 

how a log file of accesses during a defined time period can be maintained. A person of ordinary 

skill in the art reading Mattsson's teaching of logging accesses during a defined time period 

would not find it obvious to observe accesses based on quantity instead of time. 

The other references also do not teach or suggest observing a preselected quantity of 

accesses as claimed. Ludwig does not related to monitoring database transactions. Low 

describes logging all SQL statements received from a user (§ 4.1) and monitoring over a period 
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of time (§ 2, third paragraph) but does not discuss observing a preselected quantity of accesses. 
Vaitzblit describes a data audit system but also does not discuss observing a preselected quantity 
of accesses. Therefore, a person of ordinary skill in the art considering the teachings of the cited 
references, either alone or in combination, would not find the claimed invention obvious. 

In the Advisory Action, the Examiner states that the "preselected quantity may be the 
number of accesses observed in a defined time period." Applicants respectfully disagree with 
this interpretation of the claim. The pending claims must be "given their broadest reasonable 
interpretation consistent with the specification." Phillips v. AWH Corp., 415 F.3d 1303 (Fed. 
Cir. 2005). The specification distinguishes between observing accesses based on a preselected 
time period and accesses based on a preselected number at page 1 1 , lines 9-11. The Examiner's 
interpretation is thus inconsistent with the specification and unreasonable. 

Applicants respectfully submit that the claims are patentable for the reasons described 
above. Accordingly, Applicants respectfully request that the Examiner allow the application and 
pass it to issue. The Examiner is invited to contact the undersigned to advance the prosecution of 
this case. 

Respectfully submitted, 
HARLAN SEYMOUR ET AL. 

Dated: November 9. 2007 By: /Brian Hoffman/ 

Brian M. Hoffman, Reg. No. 39,713 
Attorney for Applicant 
Fenwick & West LLP 
801 California Street 
Mountain View, C A 94041 
Tel.: (415)875-2484 
Fax: (415) 281-1350 
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